ICO says it doesn't need to use its 'big stick'

Despite increased powers to levy fines for breaches of UK data protection rules, the Information Commissioner's Office (ICO) is only using these powers in a tiny fraction of cases.

A Freedom of Information request from encryption specialist ViaSat, made public on Wednesday, revealed that 2,565 data breaches had been reported to the government watchdog in the year since a tougher enforcement regime was introduced in April 2010. Just 36 of these cases have resulted in any form of action by the ICO to date. Only four have resulted in civil penalties.

These four cases have resulted in fines that maxed out at £100,000, a lot less than the £500,000 maximum, adding up to a collective total of £310,000. Hertfordshire County Council was fined £100,000, the toughest penalty to date, after it accidentally faxed details of a child sex abuse case to a member of the public instead of lawyers.

Nearly one in five of the reported breaches of the Data Protection Act over the last year came from a financial sector industry but none have resulted in fines, at least up until now. Santander and Yorkshire Building Society have each been reprimanded for minor breaches of data protection rules since tougher fines came into play last year and increased maximum fines were raised from £50,000 to £500,000.

"The ICO has stated that the embarrassment and poor image of a fine will act as a deterrent and an incentive to improve an organisation's grasp of the Data Protection Act," said Chris McIntosh, chief exec of ViaSat UK. "However, if fines are rare and well below the maximum allowed limit, their value as a deterrent drops."

McIntosh continued: "Organisations will view the rarity of a fine and the associated negative publicity the same way they have viewed the threat of a data breach itself: an event that only happens to other people."

ViaSat also criticised the ICO for seemingly targeting public sector organisations for tougher enforcement. The ICO has taken action against only seven private sector organisations, penalising one, compared to acting against 29 public sector organisations, and wielding the naughty stick against three.

The only private sector firm found foul of the tougher enforcement regime thus far is A4e, which was fined £60,000 last November after losing an unencrypted laptop containing the details of 24,000 people attending the League of Gentlemen-style job clubs it runs for the Department of Work and Pensions.

"The ICO has stated that the private sector has a worse grasp of the Data Protection Act than the public," continued McIntosh. "However, the ICO's actions so far do not seem to encourage any improvement."

McIntosh added that the public sector dutifully reports its failures under the Data Protection Act and receives more, and larger, penalties as a result. Hard-pressed taxpayers ultimately cope with this bill. Meanwhile private-sector firms might be tempted to think that the worst that will happen to them is a small fine, in comparison to the size of their business, and a "slap on the wrists", according to McIntosh.

While acknowledging that ICO has a tough job, McIntosh said it ought to be doing more than "handing out minor fines to local government". He suggested the organisation might be in need of "greater leeway" in imposing heavier penalties as well as more resources towards applying stronger monitoring.

In a statement, the ICO explained that its main aim was getting organisations to abide by data protection rules and that this "isn't always best achieved by issuing organisations or businesses with monetary penalties". It said that the proverbial carrot often worked better than a "big stick".

The data privacy watchdog continued: "Our focus as a regulator is on getting bodies to comply with the Data Protection Act. This isn't always best achieved by issuing organisations or businesses with monetary penalties. The action we will take depends entirely on the details of each individual case.

"The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally. The big stick is there, but doesn't need to be deployed all the time to have an effect.

"Good regulation is about getting the best result in the public interest. For a monetary penalty to be served the Information Commissioner has to satisfy a strict set of criteria including that the breach could have caused substantial damage or substantial distress to individuals and that the organisation knew, or ought to have known, that there was a risk that a breach may occur. We will always consider the imposition of a monetary penalty where these criteria are met."